APEX INDUSTRIAL MANUAL

25X1 31 MAR , HE Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060002-6 UkaT MEMORANDUM FOR: Executive Secretary, DCI Security Committee CIA Alternate Member, DCI Security Committee SUBJECT: APEX Industrial Manual 1. On 4 March 1980, your office forwarded a draft copy of the APEX Industrial Manual to the Policy and Plans Group, Office of Security, for information and retention. The trans- mittal slip suggested that PPG might wish to circulate the draft copy within OS to get comments which, in turn, could be introduced, as appropriate, by the Executive Secretary, DCI Security Committee. 2. While realizing that the deadline for comments regarding the proposed draft is past, the following sugges- tions, which are the result of internal OS coordination, are being forwarded for your information and submission, if appropriate, should the opportunity present itself at a later date for further input into the APEX Industrial Manual: a ee1~1, paragraph 2, line 6: It is suggested Page that the word "authority" be substituted for the word "activity." Rationale: The change will add clarity and preciseness. Page 1, paragraph 5: Concern was expressed as to how the government would assure that the implementing guidance to contractors is uniform from various government officials or agencies. It is suggested that any such guidance should be reviewed by the APEX Steering Group before any implementing directives are published. Page.2, paragraph 8: The requirement for annual inspections of contractor APEX control facilities may be unrealistic. Resource limita- tions may make the goal of annual inspections unattainable. OS 0 0814 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060002-6  Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060002-6 Page ~_~ ~3, paragraph 12: The annual (January) revalicon o access approvals, while a worthy goal, may, like the annual inspection cited in the above paragraph,'be unrealistic. This pro- posal will require extensive contractor input, the cost of which will be passed on to the government. Resource limitations may make the annual revalidation goal unattainable. Page 4, ara rya h 16c: It is suggested that a speci is time- rame be established for dispatching tracers when receipts are not re- turned. The establishment of such a time frame will serve as a guide for government as well as industrial contractors. Page 7, ara raphs 23a and 23b: In both paragraphs a -an it is suggeste the words "official or" be inserted before the word "non- official." Rationale: A great deal of culti- vation and possible elicitation of sensitive information could be accomplished by foreign nationals, be they representatives of DCID 1/20 countries or not, while operating under the blessing of an "official" contact. This being the case, it is felt that "official" as well as "nonofficial" contacts should be reportable. Page 8 ara raph 26: The colon at the end of the page should be replaced with a paragraph classification marking. (U) is suggested. Pages 10 and 11, paragraphs 35, 38 and 39: It is suggested that a phase III level b f g, or its equivalent, be reinstated. Rationale: Paragraph 35 states that persons being briefed in the APEX-\EN RAL category will be told "their industrial firm has a contract or contracts with U. S. Government entities but may not necessarily be told of the specific departments or agencies." Since they "may" or "may not" be told of the specific sponsoring agency, it will be impossible to determine whether a person briefed APEX-GENERAL at either the phase I or phase II level is aware of the true sponsorship of a particular project. In other words, with the deletion of phase III level briefings, there is no quick and definitive method of determining who has or has not been briefed regarding true sponsorship. 2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060002-6  Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060002-6 Paragraphs X38 and 39 also contain language which makes it impossible to determine whether a person is aware of tru, sponsorship. Para- graph 38 states that phase II level briefings permit knowledge of the sponsoring agency among other things, but then cautions that "it should not be assumed that all details will be given to all phase II accessed individuals." Para- graph 39 states that "generally" access to the cited subcompartment would not allow access to certain information, including details about government sponsorship. It is felt that to definitively determine who knows how much about what given activity a phase III level briefing or some equivalent must be reinstated. Page 11, era ,ras~h 38, line 1: The phrase ''this level of ational" is nconsistent with the preceding and following paragraphs and should not appear in italicized bold-face print. Page 12, paragraph 42: The entity "APEX Control taff s cite, without further elaboration, in this paragraph for the first time in the Manual and then is subsequently referred to at various points in the remainder of the document. It is suggested that the duties and composition of the APEX Control Staff be addressed at the beginning of the Manual, possibly under the "Organizational Structure" section on page 2. It is also noted that the need to define "APEX Control Staff" also exists in the "Security Manual for Government." Page 12, Paragraph 43: It is suggested that this paragraph be rephrased to eliminate the "at least annually" inspection of Contractor APEX Control Facilities (CACF). Preferred wording would be similar to that utilized on page 14, paragraph 48 ("technical security") which provides for inspections (1) upon accreditation, (2) following major physical renovation, and (3) at the discretion of the SI4. Rationale: Resource and budgetary limitations preclude fulfillment of the goal of annual inspections of all CACFs. 3 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060002-6  Approved For Release 2004/05/12 CIA-RDP85T00788R000100060002-6 Page 14, arra graph 49: It is suggested that the wording of this paragraph be changed to read: '1. . . in compliance with DCID 1/16 and standard requirements . ..." Also, it is proposed that the title of this paragraph be changed from "Computer Security" to !'Information Systems Security." Rationale: The reference to DCID 1/16 provides a precise standard which can, as necessary, be supplemented by the responsible SIO. The title change is felt to be more descriptive and will reflect cognizance over information systems, not necessarily just those having to do with computers. Page 14, paragraph SO: The wording of this paragraph should e- c anged to make it clear that the responsible government office will arrange the required inspections and tests, and advise the contractor of required corrective measures. However, it should be the contractor who schedules and takes the corrective action, after which the responsible government official monitors compliance. Rationale: The responsibility and expense of required corrective action should clearly be shown to belong to the contractor. Page 14, arara h 51, line 4: The spelling of t-!necessity` saou~~ corrected'. Pa a 17 ara ra h 59d: It is suggested that is paragraph be revised to require that APEX document control numbers be placed on all pages of APEX controlled documents, not just on the front cover (if any), title page (if any) and front page. Rationale: If interior pages of APEX controlled documents bear no control number, control is lost if the interior pages should ever become separated from the basic document. For example, how would lost pages of documents, once found, be traced back to the original? How would a contractor employee, displaying a document on a cathode ray tube (CRT) in order to make a hard copy of it know the number to use to apply a control to the new document? If most (interior pages) of the controlled materials in the APEX control system bear no control numbers, then what real control does the APEX system have? Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060002-6  Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060002-6 Page 19, par__agraph_63, line 8: It is suggested that the word __'rsh6u11_GT"_Te replaced with "will." Rationale: This should be a firm (not optional) requirement and "will" strengthens the direction. Page 21, paragraph 72: The requirement set forth'-n-- fiis paragraphi- states that the re- production of all hard-copy APEX material is to be accomplishedThy the Contractor APEX Security Officer (CASO) or Assistant Contractor APEX Security Officer (ACASO). This requirement seems too restrictive and rewording is sug- gested as follows: ". . . and shall be accom- plished by the CASO or ACASO or their designee in accordance with procedures approved by the cognizant SIO." Rationale: Contractor resources would not seem to allow all reproduc- tion to be done personally by the CASO or ACASO. Page 21, paragraph 77: The (?) at the end of this paragraph must be replaced with a para- graph marking. (U) is suggested. Page 42, paragraph 81: It is suggested that there be indivi ual accountability for all forms of photographic materials. Reportedly, there has been numbering and control in the past, and it is recommended that this individual account- ability practice be continued. Rationale: Con- trol is lost over film and photographic materials if individual accountability is discontinued. Page 23, paragraph 87: The (?) at the end of this paragraph must e replaced with a para- graph marking. (U) is suggested. Page 25, paragraph 95: It is suggested that this paragraph he E11a. ng-e~ to read: "Personnel are to be indoctrinated by a designated APEX Security Officer or Contractor APEX Security Officer, as deemed appropriate by the cognizant Government ASO." Rationale: In order to be consistent with current procedures and in consideration of resource limitations, it is suggested that both the ASO and the CASO, as appropriate, be authorized to indoctrinate approved personnel regarding the APEX Special Access Control System. 25X1 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060002-6  Approved For Release 2004/05/12 CIA-RDP85T00788R000100060002-6 SBBJECT: APEX Industrial Manual DISTRIBRI0 J: Orig - Adse 1 - D/Sec (d)- OS Reg 1 - PPG Chrono 25X1 OS/P&M/PPGAbt 24 March 19 0 Approved For Release 2004/05/12 CIA-RDP85T00788R000100060002-6